Re: [Fwd: Bug#184566: security threat to postgresql
От | Neil Conway |
---|---|
Тема | Re: [Fwd: Bug#184566: security threat to postgresql |
Дата | |
Msg-id | 1048281230.27986.25.camel@tokyo обсуждение исходный текст |
Ответ на | [Fwd: Bug#184566: security threat to postgresql applications] (Oliver Elphick <olly@lfix.co.uk>) |
Ответы |
Re: [Fwd: Bug#184566: security threat to postgresql
|
Список | pgsql-hackers |
On Fri, 2003-03-21 at 16:06, Oliver Elphick wrote: > Is this paranoia, or is it a valid security point. Any comments, > please? A little from column A, a little from column B, IMHO. > if an application is linked against libpq, then the user is able to > specify environmental variables to override the defaults Note that this overrides the *default* -- if the application specifies the full set of data of the host it wants to connect to, the environmental vars shouldn't be used, AFAIK. > if the user runs the program with the environment variable PORT set to > 23423, he can install his own program on that port listening for the > password! he can then use that password to connect to the real database > and delete everything. How is that any different than the user altering the database hostname the client connects to, and setting up a fake DB server on that host? Many database applications allow that... Cheers, Neil
В списке pgsql-hackers по дате отправления: